The McAfee Site Advisor add-on has an appalling memory leak

TL;DR: If you have the McAfee Site Advisor add-on installed in your Firefox, I recommend you disable it immediately because it has an appalling memory leak.

I wrote yesterday about a reader’s results with the McAfee Site Advisor 3.4.1 and McAfee ScriptScan 14.4.1 add-ons for Firefox — he was finding that they greatly increased Firefox’s memory consumption.

This morning I tested Site Advisor 3.4.1 myself, and found that, when enabled, it leaks every single content compartment that is created. In other words, most of the JavaScript memory used for any page opened with Firefox is never reclaimed. In terms of memory consumption, this is pretty much the worst possible behaviour for an add-on. This excessive memory consumption is likely to cause Firefox to run much more slowly and crash much more often.

In the bug report I recommended that we block-list it immediately and contact McAfee, but Jorge Villalobos told me that block-listing is considered an option of last resort. Three McAfee people have been CC’d on the bug and I’ve been told that some other Mozilla people are contacting McAfee via other channels. Hopefully we’ll see concrete action soon.

If anyone else can replicate my results, particularly for older versions of Site Advisor, that would be useful to know. Steps to reproduce are in the bug report.

As for ScriptScan 14.4.1, I haven’t tried it myself because I haven’t been able to find where to download it from. My searching just turned up lots of references, such as this one, to when Mozilla block-listed version 14.4.0 because it was crashing so frequently. (Site Advisor 3.4.0 was block-listed at the same time. And SiteAdvisor 3.3.1 was also block-listed due to crashes!) If anyone can tell me where to get ScriptScan from that would be very helpful.

If you have any McAfee add-ons installed in your Firefox, I strongly recommending disabling them immediately. McAfee clearly has a poor record when it comes to the quality of their Firefox add-ons. I also personally found Site Advisor to be an extremely annoying and unhelpful add-on. I’m no expert on Windows security but if you are looking for alternatives I have heard numerous people say that Microsoft Security Essentials is the best anti-virus/security system for Windows — it’s reputedly very effective, and is free of charge and non-intrusive. It also doesn’t install any add-ons into Firefox.

I found that slightly amusing as a similar condition occurs when folks say ‘Windows always crashes’ when most of the time it’s a faulty/poorly written 3rd party driver. I see siteadvisor is to be fixed asap.

I think we should not allow third parties to install un-reviewed add-ons. If the user wants an un-reviewed add-on and finds it online, that’s cool. But McAfee clearly should not be able to shove code into Firefox without our OK.

I completely agree. There are a lot of problematic addons installed by third-parties without the user consent (or cheating him with an opt-in option in a setup), and antivirus addons are only a small part of them!

Why do you guys hesitate to nuke this? Just nuke the damn thing from orbit with the blocklist, it was what it was designed for in the first place. The add-on is clearly degrading the experience for Firefox users, if companies can’t write add-ons that aren’t buggy, they shouldn’t be in Firefox period.

Let’s just say there are a range of opinions within Mozilla about how to handle this kind of thing 🙂 With my MemShrink hat on I want no add-ons to be allowed with review. With my open source hat on I don’t want us to be like iOS where nobody can add anything without permission from Mozilla. (Yes, there are differences between Firefox and iOS and so this comparison is not totally apples-to-apples.)

Nicholas, I’m with you here. We have 2 hats: protecting Firefox’ reputation while protecting generativity. I don’t want Mozilla to end up having the same behavior as Apple, who controls what kind of code you are allowed to run on your device.

you have got to open a bug to finally stop this madness once and for all.
I’m talking about unwanted plugins or extensions. Firefox 8 does not go far enough.

Right now: A lot of crap installs things into Firefox, the most annoying probably being things like Java or WPF which you get easily installed into your Firefox.

People have these as well as Antivirus plugins and then it happens: Firefox is slow, unresponsive, crashes a lot.
The common user right now investigates the issue with the task manager…
Firefox using 1,5 GB…that’s not good. So they open the addon page and are baffled by the amount of crap that they find there. Most OEM PCs come with a lot of software just ready to install crap into your Firefox if you use the browser, so it is already bloated and slow as soon as you start it for the first time!! this is ludicrous, why do you allow this?
the user that sees this addon page will be in a state of shock afterwards. The next thing he does is download chrome or even switch back to IE.

Why can I completely remove every addon I voluntarily added, but not the crap that I do not even consented to getting installed?

You guys have to get your game on and start working on this immediately. Every Addon or even plugin should be on AMO, no addon should require a proper installation, only a restart and finally, nothing should install itself into firefox in any way, shape or form unless the user specifically clicks YES on a warning box that is specific as well (e.g. allowing Java to install but being able to completely deny any installation of the Console or the plugins into firefox proper.

Killing these (mostly) plugins wouldn’t even offend any of the addon authors and it is the only way I see for Firefox to survive. Don’t forget that Chrome right now is almost finished with an API that basically allows things like ABP to work flawlessly there. It could be the end of Firefox to paint a darker picture.

The ability for any third party to install plugins into Firefox has bemused me for years. Here is Mozilla claiming it’s security is such a strength and any piece of malware written on the NPAPI can install itself unhindered except for one pop-up that a lot of people will just click away? Amazing. I may be missing a few points of view here but this situation seems like the ultimate in left hand doesn’t know what the right hand does.

On McAfee, I wonder if any similar software, such as the free AVG LinkScanner® Surf-Shield and LinkScanner® Search-Shield behave similarly? Additionally I wonder how many users realize that installing such software is duplicating the built-in browser white/blacklist protection supplied to Firefox by Google?

Lastly, McAfee is owned by Intel isn’t it? Surely Intel has enough resources to fix this problem? So why not kill this extension until they get it right? This is not a case of destroying an otherwise innocent small-time developer’s AMO credentials or reputation. This is a case of get your act together oligopoly boys!

I think this is such no-brainer. You do what is right by your users firstly and secondly what is best for your brand / product. How is a awful memory leaking add-on good for users? How does it make their web experience better?

Mozilla believe in choice, yet you don’t have an option to block add-ons for users. I just updated Java and it dumped three add-on into my Firefox, of which Firefox asked me about one. The other two was just enabled. WTF? I can’t remove them either.

I am at the point that I HAD to switch to IE9 for playing my flash games in Facebook. The experience in Firefox is so bad ATM that it is unplayable. The browser will freeze for like 10+ seconds every time you go into the game. It lock everything, so it is not like you can switch to other tab and wait it out, because the browser is basically unusable.

I have a rhetorical question for the Mozilla? With IE10, Chrome 17 and Opera 12 all scoring above above 340 on HTML5test.com, you have to realise that all browsers have HTML5 parity. So the only thing differentiate these browsers are user experience. Currently, Firefox offer nothing in that department.

Two weeks from now when Windows 8 Customer preview launch, I am planning on switching to that, and funny enough, for the first time since I became a Firefox user, I am not planning to install it.

So please debate all you want, but to influence the web, you need a user base and guess what, your base is switching to something better…

Just try the following, Nicholas or Asa or whoever else works on Firefox:

1) Do a clean install of Windows XP
2) behave like a typical user by downloading everything offered to you by Windows Update (typical users either don’t update or recklessly install every update.)
Right now you should have:
– Net. Framework (Fx Addons: WPF and Net. Framework)
– Silverlight (FxA: Silverlight Plugin
– various others
Now do you see how crazy this is?? wait, there’s more.
3) install Java, because you don’t have a choice (but you don’t want the 2 plugins and Java Console 😉 )
4) install various other things such as Google earth or -Updater etc. (Plugins: pretty nice, you won’t get rid of these easily 😉 )
5) after having everything downloaded, download Firefox
6) look at about:addons
7) ???
8) download Chrome (remember: YOU are the Firefox developer in this experiment 😉 )

please: just do something. Firefox is losing users. Simple logic follows and tells us, that things, as they are right now, are going wrong, so change is a good thing.
Justin Lebar has opened a bug for this: it’s Bug 728227

There’s nothing Mozilla can do to truly prevent third parties installing addons in Firefox – if at all possible, that would be a job for the OS.

Even if a solid mechanism was included to stop this behavior, as soon as another program has write-access to the computer, it could modify the Firefox executable to disable that mechanism. You can make it more difficult, but you can’t stop it completely.

This is the reason why, even to this day and despite all the improvements you all made with Memshrink and Snappy, there are still users who have a bad experience when using Firefox.

these third party Plugins (mostly but remember the Addon “Java Console”) are killing your browser and thusly a famous example of the sucess of the FOSS movement.
They cause Firefox to be:
– slow, laggy, unresponsive, crashy, insecure!!!, memory hog-gy, uncomfortable, annoying, every other bad word you could imagine.

Firefox will be blamed for this 90% of the time, but that doesn’t even matter, don’t you understand? the other 10% will look at about:addons, see that the browser literally is stuffed with ugly things that you cannot even remove: “It looks horrible. Firefox can’t even keep their own browser clean! Why can’t I remove any of this! I’ve about had it with this browser!” and the outcome is the same.

Example: I clicked twice and accidentally skipped a page in the Foxit Reader Installer, on this page where 2 checked options for installing a PDF plugin and a ask com Toolbar. They got installed and firefox became unusable with my slow machine. Luckily you could uninstall everything.
Google Updater and Earth on the other hand stay on about:addon forever, because they don’t uninstall completely.

It really is bad, do people like Jorge Villalobos wish to lose their job or see a great example of FOSS dying?

Just one thing: No matter how long you do Memshrink and Snappy. No matter how many bugs you fix. These Plugins/Addons will always kill you. The really do, if you don’t do anything about it.

What if these addons (many of them by Google wink wink) are slow and buggy for a reason: to kill the experience for Firefox users!!!
Ever thought about that? Google won’t pay a dollar to Mozilla if the browser has no user base anymore.

A message is certainly an option for the McAffee add-on. I think McAffee would prefer silent disabling via the block list to bad publicity coming directly to their userbase. That should help with your discussion with the add-on people.

McAfee fixed the addon internally last Friday; most users should be getting it this week with the remainder trickling in over the following one. Their request was for the block on the current version to go in place at the end of the deployment period.

I can’t help but wonder if McAfee is silently installing the add-on not just during its own install process, but later once the user installs Firefox. Reason being, I know no one who has deliberately installed McAfee after researching the options, but McAfee is very common as bundleware on new systems. And if McAfee is doing this, we need to stop it from doing that. Installing a browser add-on should always be done with the user’s consent.

For my two cents, I disagree with the position that all add-ons should be AMO reviewed to be installable, but the user should be made well-aware that the add-on was not so reviewed before installation. That allows users to try beta/alpha builds of add-ons like Firebug, without having to wait for the review process. In fact I’d go so far as to say that not allowing non-AMO add-ons at all is completely untenable, but I don’t know of any honest developer who would object to requiring informed consent. Heck, I’m sure even McAfee would be behind that, since to them (like other antivirus developers) they’re just installing the add-on automatically to be “helpful”.

First I think Mozilla should look at AMO and make sure they understand the territory. I reckon it will go with the Pareto Principle i.e. 20% of the add-ons will account for 80% of the market share, or something like that. It may be that the top 20 (add-ons with the most users) is 50% of the market share. You get the idea.

If this is the case, Mozilla should waste no time in making sure that these add-ons have no memory leaks at all and that they pose no problems at all. As someone else said in the comments somewhere on this blog recently, pick your battles.

It’s a question of time/resource management. Instead of trying to fix all the add-ons, direct the few people you have toward fixing the vital few that have the biggest userbase. Make sure that these top 10 or 20 are problem free, then move onto the next 5 or 10 that are lower down the list. Once you have sorted every memory leak in the top 20-30 add-ons on AMO, then surely lots of problems will disappear.

You could also easily do the same for the top 10 or 20 add-ons that aren’t hosted on AMO. I don’t know if it’s harder for Mozilla to get data on add-ons not on AMO, but if you can, then a similar method of deploying resources effectively and targeting the add-ons with the most active users will help massively.

Finally, something needs to be done about the add-ons not on AMO. I personally think that you shouldn’t allow add-ons that aren’t on AMO, and to allow them in, they have to pass stringent tests.

Firefox is now more than holding it’s own in both terms of overall usage and how quickly it releases memory when tabs are closed. It is clearly the best browser when it comes to a heavy tab load, miles better than Chrome who is the only real competition in the market place at this time. I am sat here using 11 beta 3 and it is awesome, and this is a version that hasn’t even begun to benefit from Snappy yet, just Memshrink.

People may say that Tomshardware is awful but I think it’s worth making a note of because the browsers are all put through the same tests, on the same day, using the exact same hardware and software and it levels the playing field and removes all the variables you get when you have people discussing memory performance online and someone will post saying how it’s excellent and someone else will come back saying it’s not quite as good for them or that it’s downright terrible. So the tests themselves may not be the best but they are on a level playing field and most importantly, Firefox is used without any add-ons and it’s performance on memory which is what it has the worst reputation for is top notch.

Mozilla’s number one problem now is the add-ons and the reputation that is hard to shake. It’s even got to the point now where you probably have people saying how bad the memory consumption is, and they have never experienced it first hand. They simply repeat in parrot fashion what they have read elsewhere.

If you took the add-ons problem out of the equation, Firefox has a very bright future ahead of it. Memshrink and Snappy are now making Firefox a seriously competitive browser and that’s before you factor in Ionmonkey and a bunch of other stuff that is being worked on by the graphics people and other things that are way over my head.

What is going to be done? Firefox is blamed for the behaviour of add-ons that the user probably isn’t even aware of. But the sad thing is, many people say that there is no point using Firefox without the add-ons. Might as well use Chrome.

I think this needs addressing properly at the very highest level within Mozilla. A strict and fairly rapid plan should be put in place and most importantly a deadline slapped on it and someone held accountable for sorting this mess out. By the summer of this year, Firefox will be in the best shape it has ever been in, but if the add-on problems still plague it, then all the improvements will be irrelevant.

As I write this I am almost at the point of getting on my knees and begging someone at Mozilla to scrap all add-ons that aren’t hosted on AMO. Yes it’s harsh and go against the whole open source thing, but in the longer term, it will work wonders for Firefox.

We were just talking in today’s MemShrink meeting about manually testing the top N add-ons! 🙂 It should have a good cost/benefit ratio.

As for scrapping non-AMO add-ons, that’s not going to happen. Users should be able to run any add-ons that they want. Mozilla is not Apple, and Firefox is not iOS.

But we are thinking carefully about how to improve the situation with non-AMO add-ons, especially third-party ones (i.e. ones installed by external applications). It’s a tricky problem. I don’t have much more to add right now, hopefully you’ll hear more in the coming weeks.

Nicholas,
As I was the person that started the whole McAfee Site Advisor discussion I feel that I should ask, how do I update my girlfriend’s laptop from 3.4.1 to make sure that it isn’t leaking memory from now on? Does the software autoupdate? Is there a link I can follow to download the latest version and install it over the top of the current version. Please advise me. It would be silly for me not to take corrective action after diagnosing the problem.